Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Dmitry Kurbatov
Vladimir Kropotov
Positive Research
Agenda
Intro
Attacks prerequisites, costs and case studies
Official and underground market brief
Possible Security measures
Forecasts
In Service LTE Networks
VoLTE Networks
http://ltemaps.org/
The most of the world performs
HANGDOVER
LTE only for web browsing
To perform a call subscriber is downgraded to 3G (handover)
Interconnect / roaming
2G /
3G
SS7 GRX IPX
E1 IP IP
3G / 3G /
4G 4G
Kind of IPv4 vs IPv6 dilemma
SS7 is still most used interconnect/
roaming network
Mobility
Call control SS7
Billing SMS-C
Gateway
MSC
A
Crypto
MSC SS7 HLR
VLR
B Billing
2014 - year of SS7 security issues
Hackito Ergo Sum 2014
Locating mobile phones
Washington Post
Secretly track cellphones
31C3
SS7: Locate. Track. Manipulate
Mobile self-defense
SS7 for (bad) guys
Tracking
Locating mobile phones and secretly tracking
Denial of Service
Disrupt subscriber connectivity and service availability
Interception
Listen to calls, intercept short messages
Threats to Operator
Threats to IoT
Basic Terms
Bob
Get Cell ID
I am
SMSC
1. Attacker sends request
1
provideSubscriberInfo
addressing MAP message
SMS-C by IMSI and asking for
2 subscriber location
2. MSC replies with Cell ID:
MSC
MCC - 250
MNC - 90
HLR
LAC 4A67
CID 673D
Bob
Get Location
Search in Internet for physical
location by MCC, MNC, LAC,
CID
1
MCC: 250
MNC: 90
LAC: 4A67
CID: 673D
Bob
and Track User Just Like SkyLock
http://s3.documentcloud.org/documents/1275167/skylock-product-description-2013.pdf
Underground market demands
Tracking subscriber
using the phone
number
Yep, Even in 2010
Tracking Nobody wants to be constantly
monitored.
Tracking is a violation of Personal data
protection laws.
ProvideSubscriberInfo
ProvideSubscriberLocation
DoS /
To make someone unavailable
To stop data leakage
What else?
Common Step 0 for Any Attack
Fake
MSC 1. Attacker sends request
SendRoutingInfoForSM
1 addressing MAP message
SMS-C by MSISDN
2
2. HLR replies with:
own address
MSC
serving MSC address
IMSI
HLR
Bob
Denial of Service. Step 1
Fake
MSC 1. Attacker registers Bob on
the fake MSC
1 2. HLR sets up new location
SMS-C for Bob
2
3. HLR asks real MSC to
3
release a memory
MSC
HLR
Bob
Denial of Service. Step 2
Fake
MSC 1. Alex calls Bob
2. MSC is looking for Bob
and asks HLR to provide
1
SMS-C information
Alex 3 3. HLR asks fake MSC to
2 provide Roaming
MSC
Number
HLR
Bob
demo
Interception /
How to Intercept SMS ()
A virus on a smartphone and what if a certain subscriber is a
target? How to infect him particularly?
Reissue SIM? It works only once.
Radio signal interception (GSM A5/1)? You need to be nearby.
Via SS7 network
A Cheap Way For Tapping
10$ + OpenSource
+ +
(f)or
$$7
Common Step 0 for Any Attack
Fake
MSC 1. Attacker sends request
SendRoutingInfoForSM
1 addressing MAP message
SMS-C by MSISDN
2
2. HLR replies with:
own address
MSC
serving MSC address
IMSI
HLR
Bob
SMS Interception. Step 1
Fake
MSC 1. Attacker registers Bob on
the fake MSC
1 2. HLR sets up new location
SMS-C for Bob
2
3. HLR asks real MSC to
3
release a memory
MSC
HLR
Bob
SMS Interception. Step 2
Fake
MSC 1. Alex sends SMS to Bob
2. MSC translates the SMS
5 to SMS-C
1 2
SMS-C 3. SMS-C requests HLR for
Alex Bob`s location
3 4
4. HLR replies with a fake
MSC
MSC address
5. SMS-C translates SMS to
HLR
the fake MSC
Bob
demo
SMS Interception, We Really Missed You
Access to payment service
Recover passwords for email and
social networks
Online banking OTP
Illegal cases SMS Interception
TBD
Payment confirmation
SMS Interception
Devices for
SMS Interception
Active actions and Impersonation
Critical
Research Updates
SS7 security threats
Mobile Internet vulnerabilities (GPRS)
SIM vulnerabilities
http://www.ptsecurity.com/library/whitepapers/
http://blog.ptsecurity.com/
Questions?